// Copyright (c) HashiCorp, Inc.
// SPDX-License-Identifier: MPL-2.0

package guardduty_test

import (
	"context"
	"errors"
	"fmt"
	"testing"

	"github.com/aws/aws-sdk-go-v2/aws"
	"github.com/aws/aws-sdk-go-v2/service/guardduty"
	awstypes "github.com/aws/aws-sdk-go-v2/service/guardduty/types"
	sdkacctest "github.com/hashicorp/terraform-plugin-testing/helper/acctest"
	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
	"github.com/hashicorp/terraform-plugin-testing/terraform"
	"github.com/hashicorp/terraform-provider-aws/internal/acctest"
	"github.com/hashicorp/terraform-provider-aws/internal/conns"
	"github.com/hashicorp/terraform-provider-aws/internal/create"
	tfguardduty "github.com/hashicorp/terraform-provider-aws/internal/service/guardduty"
	"github.com/hashicorp/terraform-provider-aws/internal/tfresource"
	"github.com/hashicorp/terraform-provider-aws/names"
)

func init() {
	acctest.RegisterServiceErrorCheckFunc(names.GuardDutyServiceID, testAccErrorCheckSkip)
}

func testAccErrorCheckSkip(t *testing.T) resource.ErrorCheckFunc {
	return acctest.ErrorCheckSkipMessagesContaining(t,
		"AccessDeniedException: User",
	)
}

func TestAccGuardDutyMalwareProtectionPlan_basic(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlan guardduty.GetMalwareProtectionPlanOutput
	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				Config: testAccMalwareProtectionPlanConfig_basic(rName),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					acctest.CheckResourceAttrRegionalARNFormat(ctx, resourceName, names.AttrARN, "guardduty", "malware-protection-plan/{id}"),
					resource.TestCheckResourceAttrSet(resourceName, names.AttrCreatedAt),
					resource.TestCheckResourceAttrSet(resourceName, names.AttrID),
					resource.TestCheckResourceAttrPair(resourceName, names.AttrRole, "aws_iam_role.test", names.AttrARN),
					resource.TestCheckResourceAttr(resourceName, names.AttrStatus, string(awstypes.MalwareProtectionPlanStatusActive)),
					resource.TestCheckResourceAttr(resourceName, "actions.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.0.status", string(awstypes.MalwareProtectionPlanTaggingActionStatusDisabled)),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "0"),
				),
			},
			{
				ResourceName:            resourceName,
				ImportState:             true,
				ImportStateVerify:       true,
				ImportStateVerifyIgnore: []string{},
			},
		},
	})
}

func TestAccGuardDutyMalwareProtectionPlan_role(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlan guardduty.GetMalwareProtectionPlanOutput
	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	rName2 := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				Config: testAccMalwareProtectionPlanConfig_role(rName, rName2, "first"),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttrPair(resourceName, names.AttrRole, "aws_iam_role.test", names.AttrARN),
				),
			},
			{
				ResourceName:            resourceName,
				ImportState:             true,
				ImportStateVerify:       true,
				ImportStateVerifyIgnore: []string{},
			},
			{
				Config: testAccMalwareProtectionPlanConfig_role(rName, rName2, "second"),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttrPair(resourceName, names.AttrRole, "aws_iam_role.test2", names.AttrARN),
				),
			},
		},
	})
}

func TestAccGuardDutyMalwareProtectionPlan_actionsTaggingStatus(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlan guardduty.GetMalwareProtectionPlanOutput
	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	originalStatus := string(awstypes.MalwareProtectionPlanTaggingActionStatusDisabled)
	updatedStatus := string(awstypes.MalwareProtectionPlanTaggingActionStatusEnabled)

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				Config: testAccMalwareProtectionPlanConfig_actionsTaggingStatus(rName, originalStatus),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttr(resourceName, "actions.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.0.status", originalStatus),
				),
			},
			{
				ResourceName:            resourceName,
				ImportState:             true,
				ImportStateVerify:       true,
				ImportStateVerifyIgnore: []string{},
			},
			{
				Config: testAccMalwareProtectionPlanConfig_actionsTaggingStatus(rName, updatedStatus),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttr(resourceName, "actions.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "actions.0.tagging.0.status", updatedStatus),
				),
			},
		},
	})
}

func TestAccGuardDutyMalwareProtectionPlan_protectedResourceS3BucketName(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlanV1, malwareProtectionPlanV2 guardduty.GetMalwareProtectionPlanOutput

	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	rName2 := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				Config: testAccMalwareProtectionPlanConfig_protectedResourceS3BucketName(rName, rName2, "first"),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlanV1),
					resource.TestCheckResourceAttrPair(resourceName, names.AttrRole, "aws_iam_role.test", names.AttrARN),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "0"),
				),
			},
			{
				ResourceName:            resourceName,
				ImportState:             true,
				ImportStateVerify:       true,
				ImportStateVerifyIgnore: []string{},
			},
			{
				Config: testAccMalwareProtectionPlanConfig_protectedResourceS3BucketName(rName, rName2, "second"),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlanV2),
					testAccCheckMalwareProtectionPlanRecreated(&malwareProtectionPlanV1, &malwareProtectionPlanV2),
					resource.TestCheckResourceAttrPair(resourceName, names.AttrRole, "aws_iam_role.test2", names.AttrARN),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test2", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "0"),
				),
			},
		},
	})
}

func TestAccGuardDutyMalwareProtectionPlan_protectedResourceS3BucketObjectPrefix(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlan guardduty.GetMalwareProtectionPlanOutput
	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	firstObjectPrefixOriginal := "first-original"
	firstObjectPrefixUpdated := "first-updated"
	secondObjectPrefixOriginal := "second-original"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				// Test create with single object prefix
				Config: testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesOne(rName, firstObjectPrefixOriginal),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "1"),
					resource.TestCheckTypeSetElemAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.*", firstObjectPrefixOriginal),
				),
			},
			{
				ResourceName:            resourceName,
				ImportState:             true,
				ImportStateVerify:       true,
				ImportStateVerifyIgnore: []string{},
			},
			{
				// Test updating the first original value and introducing a new value
				Config: testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesTwo(rName, firstObjectPrefixUpdated, secondObjectPrefixOriginal),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "2"),
					resource.TestCheckTypeSetElemAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.*", firstObjectPrefixUpdated),
					resource.TestCheckTypeSetElemAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.*", secondObjectPrefixOriginal),
				),
			},
			{
				// Test removal of all object prefixes
				Config: testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesZero(rName),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.#", "1"),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.#", "1"),
					resource.TestCheckResourceAttrPair(resourceName, "protected_resource.0.s3_bucket.0.bucket_name", "aws_s3_bucket.test", names.AttrID),
					resource.TestCheckResourceAttr(resourceName, "protected_resource.0.s3_bucket.0.object_prefixes.#", "0"),
				),
			},
		},
	})
}

func TestAccGuardDutyMalwareProtectionPlan_disappears(t *testing.T) {
	ctx := acctest.Context(t)

	var malwareProtectionPlan guardduty.GetMalwareProtectionPlanOutput
	rName := sdkacctest.RandomWithPrefix(acctest.ResourcePrefix)
	resourceName := "aws_guardduty_malware_protection_plan.test"

	resource.ParallelTest(t, resource.TestCase{
		PreCheck: func() {
			acctest.PreCheck(ctx, t)
			testAccPreCheck(ctx, t)
		},
		ErrorCheck:               acctest.ErrorCheck(t, names.GuardDutyServiceID),
		ProtoV5ProviderFactories: acctest.ProtoV5ProviderFactories,
		CheckDestroy:             testAccCheckMalwareProtectionPlanDestroy(ctx),
		Steps: []resource.TestStep{
			{
				Config: testAccMalwareProtectionPlanConfig_basic(rName),
				Check: resource.ComposeTestCheckFunc(
					testAccCheckMalwareProtectionPlanExists(ctx, resourceName, &malwareProtectionPlan),
					acctest.CheckFrameworkResourceDisappears(ctx, acctest.Provider, tfguardduty.ResourceMalwareProtectionPlan, resourceName),
				),
				ExpectNonEmptyPlan: true,
			},
		},
	})
}

func testAccCheckMalwareProtectionPlanDestroy(ctx context.Context) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		conn := acctest.Provider.Meta().(*conns.AWSClient).GuardDutyClient(ctx)

		for _, rs := range s.RootModule().Resources {
			if rs.Type != "aws_guardduty_malware_protection_plan" {
				continue
			}

			_, err := tfguardduty.FindMalwareProtectionPlanByID(ctx, conn, rs.Primary.ID)

			if tfresource.NotFound(err) {
				continue
			}

			if err != nil {
				return create.Error(names.GuardDuty, create.ErrActionCheckingDestroyed, tfguardduty.ResNameMalwareProtectionPlan, rs.Primary.ID, err)
			}
		}

		return nil
	}
}

func testAccCheckMalwareProtectionPlanExists(ctx context.Context, name string, malwareProtectionPlan *guardduty.GetMalwareProtectionPlanOutput) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		rs, ok := s.RootModule().Resources[name]
		if !ok {
			return create.Error(names.GuardDuty, create.ErrActionCheckingExistence, tfguardduty.ResNameMalwareProtectionPlan, name, errors.New("not found"))
		}

		if rs.Primary.ID == "" {
			return create.Error(names.GuardDuty, create.ErrActionCheckingExistence, tfguardduty.ResNameMalwareProtectionPlan, name, errors.New("not set"))
		}

		conn := acctest.Provider.Meta().(*conns.AWSClient).GuardDutyClient(ctx)
		resp, err := conn.GetMalwareProtectionPlan(ctx, &guardduty.GetMalwareProtectionPlanInput{
			MalwareProtectionPlanId: aws.String(rs.Primary.ID),
		})

		if err != nil {
			return create.Error(names.GuardDuty, create.ErrActionCheckingExistence, tfguardduty.ResNameMalwareProtectionPlan, rs.Primary.ID, err)
		}

		*malwareProtectionPlan = *resp

		return nil
	}
}

func testAccCheckMalwareProtectionPlanRecreated(before, after *guardduty.GetMalwareProtectionPlanOutput) resource.TestCheckFunc {
	return func(s *terraform.State) error {
		if before, after := aws.ToString(before.Arn), aws.ToString(after.Arn); before == after {
			return fmt.Errorf("Malware Protection Plan (%s) not recreated", before)
		}

		return nil
	}
}

func testAccPreCheck(ctx context.Context, t *testing.T) {
	conn := acctest.Provider.Meta().(*conns.AWSClient).GuardDutyClient(ctx)

	input := &guardduty.ListMalwareProtectionPlansInput{}
	_, err := conn.ListMalwareProtectionPlans(ctx, input)

	if acctest.PreCheckSkipError(err) {
		t.Skipf("skipping acceptance testing: %s", err)
	}
	if err != nil {
		t.Fatalf("unexpected PreCheck error: %s", err)
	}
}

func testAccMalwareProtectionPlanConfigBase(rName string) string {
	return fmt.Sprintf(`
data "aws_region" "current" {}
data "aws_caller_identity" "current" {}
data "aws_partition" "current" {}

data "aws_iam_policy_document" "assume_role" {
  statement {
    actions = ["sts:AssumeRole"]
    effect  = "Allow"

    principals {
      type        = "Service"
      identifiers = ["malware-protection-plan.guardduty.amazonaws.com"]
    }
  }
}

data "aws_iam_policy_document" "test" {
  statement {
    sid = "AllowManagedRuleToSendS3EventsToGuardDuty"
    actions = [
      "events:PutRule",
      "events:DeleteRule",
      "events:PutTargets",
      "events:RemoveTargets"
    ]
    effect = "Allow"
    resources = [
      "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
    ]

    condition {
      test     = "StringLike"
      variable = "events:ManagedBy"

      values = [
        "malware-protection-plan.guardduty.amazonaws.com"
      ]
    }
  }

  statement {
    sid = "AllowGuardDutyToMonitorEventBridgeManagedRule"
    actions = [
      "events:DescribeRule",
      "events:ListTargetsByRule"
    ]
    effect = "Allow"
    resources = [
      "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
    ]
  }

  statement {
    sid = "AllowPostScanTag"
    actions = [
      # Customer bucket is versioned
      "s3:PutObjectTagging",
      "s3:GetObjectTagging",
      # Customer bucket is not versioned
      "s3:PutObjectVersionTagging",
      "s3:GetObjectVersionTagging"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test.arn}/*"
    ]
  }

  statement {
    sid = "AllowEnableS3EventBridgeEvents"
    actions = [
      "s3:PutBucketNotification",
      "s3:GetBucketNotification"
    ]
    effect = "Allow"
    resources = [
      aws_s3_bucket.test.arn
    ]
  }

  statement {
    sid = "AllowPutValidationObject"
    actions = [
      "s3:PutObject"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test.arn}/malware-protection-resource-validation-object"
    ]
  }

  statement {
    sid = "AllowCheckBucketOwnership"
    actions = [
      "s3:ListBucket"
    ]
    effect = "Allow"
    resources = [
      aws_s3_bucket.test.arn
    ]
  }

  statement {
    sid = "AllowMalwareScan"
    actions = [
      # Customer bucket is versioned
      "s3:GetObject",
      # Customer bucket is not versioned
      "s3:GetObjectVersion"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test.arn}/*"
    ]
  }
}

resource "aws_s3_bucket" "test" {
  bucket        = %[1]q
  force_destroy = true
}

resource "aws_iam_role" "test" {
  name               = %[1]q
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name   = %[1]q
    policy = data.aws_iam_policy_document.test.json
  }
}
`, rName)
}

func testAccMalwareProtectionPlanConfig_basic(rName string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName), `
resource "aws_guardduty_malware_protection_plan" "test" {
  role = aws_iam_role.test.arn

  protected_resource {
    s3_bucket {
      bucket_name = aws_s3_bucket.test.id
    }
  }
}
`,
	)
}

func testAccMalwareProtectionPlanConfig_role(rName, rName2, selectRole string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName),
		fmt.Sprintf(`
locals {
  select_role = %[2]q
}

resource "aws_iam_role" "test2" {
  name               = %[1]q
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name   = %[1]q
    policy = data.aws_iam_policy_document.test.json
  }
}

resource "aws_guardduty_malware_protection_plan" "test" {
  role = local.select_role == "first" ? aws_iam_role.test.arn : aws_iam_role.test2.arn

  protected_resource {
    s3_bucket {
      bucket_name = aws_s3_bucket.test.id
    }
  }
}
`, rName2, selectRole),
	)
}

func testAccMalwareProtectionPlanConfig_actionsTaggingStatus(rName, status string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName),
		fmt.Sprintf(`
resource "aws_guardduty_malware_protection_plan" "test" {
  role = aws_iam_role.test.arn

  protected_resource {
    s3_bucket {
      bucket_name = aws_s3_bucket.test.id
    }
  }

  actions {
    tagging {
      status = %[1]q
    }
  }
}
`, status),
	)
}

func testAccMalwareProtectionPlanConfig_protectedResourceS3BucketName(rName, rName2, selectBucket string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName),
		fmt.Sprintf(`
locals {
  select_bucket = %[2]q
}

data "aws_iam_policy_document" "test2" {
  statement {
    sid = "AllowManagedRuleToSendS3EventsToGuardDuty"
    actions = [
      "events:PutRule",
      "events:DeleteRule",
      "events:PutTargets",
      "events:RemoveTargets"
    ]
    effect = "Allow"
    resources = [
      "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
    ]

    condition {
      test     = "StringLike"
      variable = "events:ManagedBy"

      values = [
        "malware-protection-plan.guardduty.amazonaws.com"
      ]
    }
  }

  statement {
    sid = "AllowGuardDutyToMonitorEventBridgeManagedRule"
    actions = [
      "events:DescribeRule",
      "events:ListTargetsByRule"
    ]
    effect = "Allow"
    resources = [
      "arn:${data.aws_partition.current.partition}:events:${data.aws_region.current.region}:${data.aws_caller_identity.current.account_id}:rule/DO-NOT-DELETE-AmazonGuardDutyMalwareProtectionS3*"
    ]
  }

  statement {
    sid = "AllowPostScanTag"
    actions = [
      # Customer bucket is versioned
      "s3:PutObjectTagging",
      "s3:GetObjectTagging",
      # Customer bucket is not versioned
      "s3:PutObjectVersionTagging",
      "s3:GetObjectVersionTagging"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test2.arn}/*"
    ]
  }

  statement {
    sid = "AllowEnableS3EventBridgeEvents"
    actions = [
      "s3:PutBucketNotification",
      "s3:GetBucketNotification"
    ]
    effect = "Allow"
    resources = [
      aws_s3_bucket.test2.arn
    ]
  }

  statement {
    sid = "AllowPutValidationObject"
    actions = [
      "s3:PutObject"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test2.arn}/malware-protection-resource-validation-object"
    ]
  }

  statement {
    sid = "AllowCheckBucketOwnership"
    actions = [
      "s3:ListBucket"
    ]
    effect = "Allow"
    resources = [
      aws_s3_bucket.test2.arn
    ]
  }

  statement {
    sid = "AllowMalwareScan"
    actions = [
      # Customer bucket is versioned
      "s3:GetObject",
      # Customer bucket is not versioned
      "s3:GetObjectVersion"
    ]
    effect = "Allow"
    resources = [
      "${aws_s3_bucket.test2.arn}/*"
    ]
  }
}

resource "aws_s3_bucket" "test2" {
  bucket        = %[1]q
  force_destroy = true
}

resource "aws_iam_role" "test2" {
  name               = %[1]q
  assume_role_policy = data.aws_iam_policy_document.assume_role.json

  inline_policy {
    name   = %[1]q
    policy = data.aws_iam_policy_document.test2.json
  }
}

resource "aws_guardduty_malware_protection_plan" "test" {
  role = local.select_bucket == "first" ? aws_iam_role.test.arn : aws_iam_role.test2.arn

  protected_resource {
    s3_bucket {
      bucket_name = local.select_bucket == "first" ? aws_s3_bucket.test.id : aws_s3_bucket.test2.id
    }
  }
}
`, rName2, selectBucket),
	)
}

func testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesOne(rName, objectPrefixValue string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName),
		fmt.Sprintf(`
resource "aws_guardduty_malware_protection_plan" "test" {
  role = aws_iam_role.test.arn

  protected_resource {
    s3_bucket {
      bucket_name     = aws_s3_bucket.test.id
      object_prefixes = [%[1]q]
    }
  }
}
`, objectPrefixValue),
	)
}

func testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesTwo(rName, objectPrefixValue1, objectPrefixValue2 string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName),
		fmt.Sprintf(`
resource "aws_guardduty_malware_protection_plan" "test" {
  role = aws_iam_role.test.arn

  protected_resource {
    s3_bucket {
      bucket_name     = aws_s3_bucket.test.id
      object_prefixes = [%[1]q, %[2]q]
    }
  }
}
`, objectPrefixValue1, objectPrefixValue2),
	)
}

func testAccMalwareProtectionPlanConfig_protectedResourceS3BucketObjectPrefixesZero(rName string) string {
	return acctest.ConfigCompose(
		testAccMalwareProtectionPlanConfigBase(rName), `
resource "aws_guardduty_malware_protection_plan" "test" {
  role = aws_iam_role.test.arn

  protected_resource {
    s3_bucket {
      bucket_name     = aws_s3_bucket.test.id
      object_prefixes = []
    }
  }
}
`,
	)
}
